commit 49ac11a2a47606cf3f8e756b9ef32a2303648097 Author: Douglas Barone Date: Wed Sep 28 09:29:06 2022 -0400 v1 diff --git a/README.md b/README.md new file mode 100644 index 0000000..3e52c63 --- /dev/null +++ b/README.md @@ -0,0 +1,38 @@ +# Samba to PAN OS user mapping + +This script maps Samba logged in users to a Palo Alto Firewall using the XML API. + +Tested with Samba version 4.13.17-Ubuntu and PAN OS 8.1.0. + +## Instructions + +- Clone or download this repo into `/root/` (or another folder of your choice, but take note of it). +- Create a user with admin privileges on the target firewall (it's recommended, but not mandatory, that this user have only access to the XML API thru a custom role based profile) +- Run the `getKey.sh` script passing the management IP address as first parameter, username as second parameter and password as third parameter. The script will print out the API key needed to run the mapping script. You only have to do this once. Ex.: + +``` +$ ./getKey.sh 192.168.0.2 username password +LUFRPT1B...ASDFerjbyr0= +``` + +- Then, call `smb-pan.sh` as root (or sudo) passing the management IP address and the API key from the previous script, like so: + +``` +# ./smb-pan.sh 192.168.0.2 LUFRPT1B...ASDFerjbyr0= +``` + +This will map current logged users to the firewall. You can verify it in the firewall monitor. + +## Scheduling a crontab + +Now, you need to schedule the execution of the script. I recommended 10 seconds interval. The easy way of doing it is putting 6 entries on `/etc/crontab` (not so pretty... But...): + +``` +# /etc/crontab +* * * * * root bash /home/root/samba-panos-map/smb-pan.sh 192.168.0.2 LUFRPT1B...ASDFerjbyr0= +* * * * * root ( sleep 10; bash /home/rootsamba-panos-map/smb-pan.sh 192.168.0.2 LUFRPT1B...ASDFerjbyr0=) +* * * * * root ( sleep 20; bash /home/rootsamba-panos-map/smb-pan.sh 192.168.0.2 LUFRPT1B...ASDFerjbyr0=) +* * * * * root ( sleep 30; bash /home/rootsamba-panos-map/smb-pan.sh 192.168.0.2 LUFRPT1B...ASDFerjbyr0=) +* * * * * root ( sleep 40; bash /home/rootsamba-panos-map/smb-pan.sh 192.168.0.2 LUFRPT1B...ASDFerjbyr0=) +* * * * * root ( sleep 50; bash /home/rootsamba-panos-map/smb-pan.sh 192.168.0.2 LUFRPT1B...ASDFerjbyr0=) +``` diff --git a/getKey.sh b/getKey.sh new file mode 100755 index 0000000..4767768 --- /dev/null +++ b/getKey.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# This script is used to get the API key from a palo alto firewall + +FW_MGMT_IP=$1 +USERNAME=$2 +PASSWD=$3 + +# Check parameters +if [ $# -ne 3 ]; then + echo "Usage: $0 " + exit 1 +fi + +URL="https://$FW_MGMT_IP/api/?type=keygen&user=$USERNAME&password=$PASSWD" + +# Get the key from firewall +curl -k -s -X POST "$URL" | grep -oP '(?<=)[^<]+' diff --git a/smb-pan.sh b/smb-pan.sh new file mode 100644 index 0000000..6b43b62 --- /dev/null +++ b/smb-pan.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# This script is used to map samba users to a palo alto firewall using the XML API +# Check parameters +if [ $# -ne 2 ]; then + echo "Usage: $0 " + exit 1 +fi + +# Configuration +FW_MGMT_IP=$1 +FW_KEY=$2 +TIMEOUT_IN_MINUTES=5 + +CURL=$(which curl) + +# Get current logged in users +LOGGED_USERS=$(sudo smbstatus -b | tail -n +5) + +# Count logged in users +LOGGED_USERS_COUNT=$(echo "$LOGGED_USERS" | wc -l) + +while read -r line; do + USER=$(echo $line | awk '{print $2}') + IP=$(echo $line | awk '{print $5}') + + # Vefiry if user is a computer account (ends with $) + if [[ $USER =~ \$ ]]; then + echo "User $USER is a computer account, skipping" + continue + fi + + # Verify if user is 'nobody' + if [[ $USER = nobody ]]; then + echo "Nobody account, skipping" + continue + fi + + echo "Mapping $USER to $IP" + ENTRIES="$ENTRIES" +done <<<"$LOGGED_USERS" + +# Check if ENTRIES is empty +if [ -z "$ENTRIES" ]; then + echo "No users logged in, skipping" + exit 0 +fi + +COMMAND="1.0update$ENTRIES" + +URL="https://$FW_MGMT_IP/api/?type=user-id&key=$FW_KEY&cmd=$COMMAND" + +echo --- + +$CURL -k -H "Content-Type: application/xml" -X POST "$URL" + +# Get current datetime +NOW=$(date +"%Y-%m-%d %H:%M:%S") + +echo $NOW " - $LOGGED_USERS_COUNT users mapped to firewall" >/var/log/smb-pan.log